How to create, manage and store passwords securely

Jareth

11 months ago

Let’s face it: staying on top of your digital life can be a nightmare these days. The average person has more than 90 online accounts to manage, according to recent figures. By 2020, this number is expected to balloon to over 200.

Having robust login credentials is essential for protecting your identity and ensuring your data stays out of the hands of the bad guys. However, there’s simply no way to mentally keep track of all these passwords (particularly if you’re being a good digital citizen and using unique alphanumeric combinations for every single password).

What’s the solution?

In this article, we’ve put together everything you need to know as a business or home user to manage your passwords safely and securely.

Why is it so important to have a good password?

It’s important to have a good password for one very simple reason: it prevents unauthorized access to your physical devices and online accounts. If your password is easy to crack, a cybercriminal may be able to gain access to your bank, social media, email and other private accounts, which could have a devastating effect on your life.

The importance of having robust passwords is particularly pronounced for small businesses. Not only do business owners need to ensure their mission-critical data is safe in order to minimize company downtime, they also need to be doing everything they can to protect their clients’ personal information, which may be stored on the company’s system. Small businesses often find themselves in the hackers’ crosshairs, due to the fact they typically don’t have the resources to support a dedicated IT security team. Cybercriminals are well aware of this – in 2016, about half of all small- and medium-sized businesses in the US experienced a breach, according to figures collated by Keeper Security.

Of course, none of this should come as shocking news. In fact, you’re probably sick and tired of security experts telling you to improve your password hygiene. However, it seems that a pretty big chunk of the population has yet to get the memo, as far too many people are still relying on passwords that are about as secure as a wet paper bag (read: not at all). As SplashData reported, the two most popular (i.e. the worst) passwords of 2017 were, for the fourth year in a row, ‘123456’ and ‘password’. Other notable mentions included ‘qwerty’ (coming in at #4), ‘iloveyou’ (#10) and ‘starwars’ (#16).

How hackers steal your passwords

So, having a strong password makes it less likely for a cybercriminal to obtain your login credentials. But how exactly do hackers steal your passwords in the first place?

1. Password leaks

Every now and then a major company is hacked (Yahoo, Dropbox and Gmail to name but three), resulting in millions of passwords being leaked onto the web. Not only does this mean that a criminal can potentially gain access to your leaked account, they may also be able to use the leaked information to log in to your other accounts.

How?

Well, if you’re one of the 87 percent of people who reuse their passwords, a hacker can simply use your leaked password and attempt to login to your other private accounts. Credential recycling can be attempted with passwords collected via any means (not just password leaks), which highlights the fact that you should never reuse the same password.

2. Brute force attacks

A brute force attack is an attack in which cybercriminals methodically try logging in to your account using every possible combination of characters until they get the correct password. As you might imagine, this would be impossible to do manually, so hackers use purpose-made tools that are capable (if run on the right hardware) of processing millions of attempts per second. The shorter the password, the quicker a brute force attack will be able to steal it.

3. Keyloggers

A keylogger is a certain breed of malware that runs hidden in the background of your computer. If allowed to go undetected, a keylogger can track every key you press on your keyboard and transmit this information to a malicious party, enabling criminals to steal your login credentials. An effective anti-malware product is essential for keeping your passwords safe, protecting your computer against malware and ensuring your system is clean of keyloggers.

4. Phishing

Phishing is a form of social engineering that preys on human nature. Essentially, phishing is all about tricking users to willingly divulge sensitive information (such as login credentials, credit card details and so on) by disguising malicious websites and apps as legitimate services. When you enter your information into the bogus website, you’re inadvertently sending the data straight into the hands of the criminals who can then freely assume your identity and login to your private accounts. Phishing remains incredibly prevalent, presumably because it’s proven time and time again to be an effective attack vector. Some reports indicate that more than 3 in 4 businesses were affected by phishing in 2017.

5. Post-exploitation tools

Another way that criminals commonly steal passwords is through the use of post-exploitation tools. As the name implies, attackers use these tools on systems they have already successfully exploited in order to gain better control of the device or network. The widely used Mimikatz tool, for example, can be used – among other things – to quickly harvest information that may be of value, including all the existing passwords on the compromised system.

6. Rainbow table

Even if you, as a consumer, devise a great password, it could still be stolen if the service you’re using it for uses poor password encryption practices. Most vendors nowadays are aware of the dangers of storing passwords in plaintext (more on that later), and instead store their passwords as hashes. A cryptographic hash is a mathematical algorithm that can be used to produce a checksum (a value typically used to detect data errors). With a cryptographic hash, it’s possible for a vendor to verify that a password is correct by crosschecking its checksum with the checksum in the database. The entire process takes place without the vendor ever knowing what the password actually is.

While this might sound like a very secure way of storing passwords, hashes do have their flaws. The most commonly used hashes (MD5 and SHA-1) have a known number of total possible hashes, which means they can be (and have been) precalculated. These precalculated values are stored in a list known as a rainbow table that criminals frequently use via simple lookups to reverse hashed passwords. Once they’ve stolen the hash and cracked the password using the rainbow table, the hackers can uses the login credentials on other websites where they suspect the user has reused the password. In this scenario, the length of the password is totally irrelevant as the table only takes the hash into account.

To counter this problem, vendors are increasingly looking to salted hashes, which incorporate randomness into each stored password to further obfuscate the password. With a salted hash, each individual password requires its own rainbow table to crack, making it computationally impractical for criminals to attempt.

Are you concerned that your login credentials might have been stolen without your knowledge? Use haveibeenpwned to put your mind at ease. Simply enter your email address and the site will crosscheck it with hundreds of the biggest hacks in recent history and let you know if you’re at risk. You can also use the tool to send you an alert if it finds your email address in any future data leaks.

How to create a good, strong password

So, a good password is an important part of your defense system, but what does this mean in practical terms? Well, in regards to password best practices, things have changed quite a bit in recent years.

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess” – XKCD.

In the past, the general rule of thumb was that your password should be as complex as possible. As a diligent internet user, you ensured your password included numbers, symbols, and uppercase and lowercase letters, and the resulting password might have looked something like this:

3s+zq&KW

However, we’ve steadily moved away from this approach. The US government recently updated its password recommendations to reflect the modern take on passwords and even Bill Burr, author of NIST Special Publication 800-63 Appendix A (one of the first resources to encourage people to incorporate obscure characters into their passwords) recently admitted to The Wall Street Journal that there were some flaws in his original work. Simply put everyone’s finally realized something: computers are not humans.

While the above password would be undeniably difficult for a human to guess, to a computer it’s no more secure than any other eight-character combination such as ‘magazine’ or ‘princess’ or ‘umbrella’.

The good news is that creating a robust password doesn’t have to be difficult. Here are three basic ground rules when it comes to creating a secure password in 2018:

1. Length is the new king

The cornerstone of making a good password has shifted from complexity to length. Each additional character makes your password exponentially more resistant to brute force attacks. As such, a great password can be made by simply stringing a bunch of random words together into a long phrase, such as:

vagantgerontogenousnidifugousyorkkelpielongiloquence

The longer, the better. We recommend aiming for a minimum of 16 characters.

2. Keep it unique

As we touched on earlier, reusing the same password for multiple websites, apps or devices exposes you to all sorts of unnecessary risk. Yes, you might have dozens or even hundreds of accounts to keep track of, but that doesn’t justify recycling your credentials. Make every password unique and secure, even if it’s for a service that you’re only going to use once or twice. There’s always a chance, no matter how slim, that one day you’ll give these ‘lesser services’ your credit card details and you’re highly likely to forget to strengthen your password when that time comes.

3. Make it random

In addition to length, it’s important that your password is also random. If you opt to use a string of random words as described earlier, don’t rely on your brain to conjure up a few seemingly ‘random’ words because there’s a good chance these words will be easier to guess than you might think. Instead, use a trusted password generator to produce truly random character combinations. Similarly, avoid using common phrases, pop culture quotes and references, and personally meaningful passwords such as birthdays, anniversaries, pet’s names etc. The latter increases your risk of being manually hacked by a particularly studious criminal who may scour your online presence for password clues.

For further tips on creating secure passwords, be sure to check out our previous blog post on the topic.

The best password managers of 2018

Do not store your login credentials in a text file. Storing all your passwords in a plaintext file means that a hacker can simply steal the entire list of passwords in one fell swoop and truly wreak havoc on your digital life. If you’re a business owner, storing passwords in plaintext also increases the risk of an internal security issue as employees are freely able to access login credentials. Just don’t do it.

At the same time, remembering dozens of lengthy random, unique character combinations is more or less impossible. The most secure way to store passwords in 2018 is to use a dedicated password manager.

What KeePass lacks in flashy user interfaces, it more than makes up for in smooth functionality. The free, open-source software features portable installation, which means you can run it straight from USB. It supports an impressive slew of security features, including a password generator, secure notes and a range of password entry options. There’s no official browser or Android implementation, though there are a number of unofficial options.

Login credentials are stored locally, meaning it’s less well-integrated than some cloud-based solutions (making it best suited to people who want a single device solution), but the upside is there’s also less risk of your passwords being leaked. As with all open-source software, you’re more than welcome to inspect the inner workings of KeePass, which gives technically minded users the opportunity to look for potential flaws in the code.

Dashlane is a cinch to use and comes packed with a bunch of features designed to keep your passwords safe. In addition to storing your login credentials and auto filling them whenever you may require them, Dashlane also boasts a robust password generator and a digital wallet that manages your credit card information securely, allowing you to make online purchases quickly.

If you use the sync feature, Dashlane will store your encrypted data in the cloud; should you disable sync, your data is permanently deleted from their servers, leaving it stored locally on your computer.

Another user-friendly option, Sticky Password boasts some decent features wrapped up in a decidedly clean, if slightly outdated, design. As with many password managers, Sticky Passwords allows you to securely store and manage unlimited passwords on a single device or, if you upgrade to premium, sync your login credentials across multiple machines. In contrast to some password managers, Sticky Password can also handle application logins, which is great news if you regularly have to use password-protected software.

Being able to choose between syncing data on the Sticky Password servers or over your local Wi-Fi is a very nice touch for those who want an integrated solution without compromising security.

1Password might just be the best looking Mac password manager on the market (but comes in Windows and browser flavors as well). It can do all the things you might expect of a good password manager, with some other goodies thrown into the mix such as organizing and syncing your software licenses and files. It’s worth noting that, unlike just about every other password manager, 1Password doesn’t use any form of 2FA and instead relies on end-to-end encryption and secret keys to ensure you are who you say you are.

RoboForm doesn’t bother with fanciful features or a beautiful GUI, and instead focuses its efforts on stellar password management. In addition to secure encryption, RoboForm supports application logins, note storage and emergency access. The highly customizable password generator is one of the best around and the company recently added support for limitless logins in the free version, making it a great choice for budget-conscious users in need of a great password manager.

bitwarden comes highly recommended from members of the lab team here at Emsisoft – and for very good reason. The open source software features 2FA, end-to-end encryption and, unlike most of the other entries on this list, the free version even includes unlimited syncing across devices! bitwarden also packs a competent password generator and is compatible with a bunch of different operating systems and browsers. The icing on the cake is that you can choose to host the bitwarden infrastructure on the platform of your choice, meaning you don’t have to rely on bitwarden’s cloud service if you don’t want to.

There’s no native desktop application just yet (you have to run bitwarden through your browser), but apparently it is in the works and should be arriving soon.

LastPass frequently tops the list in any roundup of best password managers. Compatible across a range of operating systems and featuring a robust password generator, security challenges and 2FA (even with the free version!), LastPass has been the gold standard of password managers for quite some time now. However, it’s also worth keeping in mind that LastPass has been hacked in the past, though its advanced hashing meant that the criminals likely weren’t able to crack the stolen passwords.

Price: Free, $24/year for premium.

Securing passwords: No more excuses

It’s simply not possible to manually keep track of all the passwords that part and parcel of modern life. The best way to securely generate and store your passwords in 2018 is to use a trusted password manager. It only takes a few minutes to set up, and the time investment is absolutely worth the peace of mind knowing that your login credentials are safely stored away.

Be sure to use a proven security solution such as Emsisoft Anti-Malware in conjunction with your password manager to ensure your system is free of keyloggers and other malware that may compromise the safety of your login credentials.

Do you use an awesome password manager not mentioned on the list? Let us know in the comment section below!